Thursday, February 27, 2014

Each year the Federal Trade Commission publishes a detailed report on the Fraud and Identity Theft complaints they received during the previous year, not just at the FTC, but throughout their Consumer Sentintel Network.

Some of the leading members of that network include the Better Business Bureau and the FBI's Internet Crime and Complaint Center (IC3.gov).

In 2012, there were 369,145 Identity Theft Complaints registered by Consumer Sentinel.
In 2013, there were 290,056 Identity Theft Complaints.

That's a 21.5% reduction in Identity Theft Complaints! Does this indicate that Identity Theft improved from 2012 to 2013? Or does it indicate that Identity Theft has become so common place that people don't get irate and call the Better Business Bureau or the FTC when it occurs?

Wire Transfer Tops the Fraud Losses List

American consumers are just DESPARATE to throw their money away in Wire Transfers. Even though every wire transfer place I've visited in the last two years has big warning signs about the various forms of fraud involving sending your money away in a wire transfer, it continues to be the top way in which fraudsters separate their victims from their money.

YEAR

Complaints

Money Wired Out

2011

115,901

$438,343,577

2012

109,138

$456,541,454

2013

104,984

$507,713,984

Western Union and MoneyGram both have warning pages to help protect consumers! Follow their advice to not lose the average $4836 that more than 100,000 complained about last year!

Green Dot MoneyPak

In the most significant change in fraud payment behavior, this year 28% of fraud losses occurred via Prepaid cards, which was almost exclusively Green Dot Money cards.
Two years ago this category of fraud losses didn't even exist! From 2012 to 2013 the number of victims went up 500% and the amount of money lost went up 600%!!

YEAR

Complaints

Prepaid Card Fraud Losses

2011

10

$9,054

2012

16,914

$6,946,619

2013

84,671

$42,858,396

(image from DotFab.com, click to visit)

How much of this fraud was due to the CryptoLocker and PoliceLock Ransomware? We can't be sure, but this is a PROFOUND shift in fraud loss behavior and a great deal of it is certain to be based on those two malware campaigns. We blogged about CryptoLocker using Greendot late in the year in our story Tracking CryptoLocker with Malcovery and IID, but the FBI's Donna Gregory reported on the malware as far back as this August 2012 FBI Ransomware Story where she said "We’re getting inundated with complaints!" referring to the complaints coming in to the FBI's IC3.gov complaint form, which is one source of Consumer Sentinel Data.

2013 - Top Cities for Identity Theft

Last year, 16 of the top 25 Identity Theft Metropolitan area were in Florida. This year it has fallen to 13.

13 of top 25 in Florida (16 in 2012)
4 of top 25 in California (0 in 2012)
3 of top 25 in Georgia (6 in 2012)
1 each in Alabama, Arkansas, Michigan, Tenessee, and West Virginia

Rank

Metro/Micropolitan Area

Per 100,000

1

Miami-FortLauderdale-WestPalmBeach, FL

340.4

2

Columbus, GA-AL

214.7

3

Naples-Immokalee-MarcoIsland, FL

214

4

Jonesboro, AR

190.9

5

Tallahassee, FL

179.4

6

CapeCoral-FortMyers, FL

174.9

7

Atlanta-SandySprings-Roswell, GA

170.7

8

PortSt.Lucie, FL

163.9

9

Beckley, WV

160.9

10

Tampa-St.Petersburg-Clearwater, FL

155.5

11

Orlando-Kissimmee-Sanford, FL

149.6

12

Detroit-Warren-Dearborn, MI

142.9

13

Lakeland-WinterHaven, FL

140.2

14

Stockton-Lodi, CA

133.1

15

Montgomery, AL

132.2

16

Vallejo-Fairfield, CA

128.2

17

Jacksonville, FL

125.7

18

Memphis, TN-MS-AR

125.5

19

Valdosta, GA

125.4

20

Ocala, FL

125

21

Gainesville, FL

122.6

22

Sebastian-VeroBeach, FL

122.4

23

LosAngeles-LongBeach-Anaheim, CA

119.1

24

Deltona-DaytonaBeach-OrmondBeach, FL

118.9

25

Fresno, CA

118.2

26

Albany, GA

117.6

27

SanFrancisco-Oakland-Hayward, CA

116.8

28

NorthPort-Sarasota-Bradenton, FL

116.6

29

Bakersfield, CA

116.5

30

Macon, GA

116.2

31

Riverside-SanBernardino-Ontario, CA

115.2

32

Savannah, GA

115.1

33

PuntaGorda, FL

115

34

Dallas-FortWorth-Arlington, TX

114.8

35

Crestview-FortWaltonBeach-Destin, FL

112.4

36

PalmBay-Melbourne-Titusville, FL

111.3

37

Flint, MI

109.7

38

Lynchburg, VA

108.1

39

Jackson, MS

107.4

40

Washington-Arlington-Alexandria, DC-VA-MD-WV

106.3

41

HomosassaSprings, FL

105.5

42

Niles-BentonHarbor, MI

105.2

43

Houston-TheWoodlands-SugarLand, TX

104.7

44

Fayetteville, NC

102.9

45

Sacramento--Roseville--Arden-Arcade, CA

101.3

46

Modesto, CA

101.1

47

Phoenix-Mesa-Scottsdale, AZ

101.1

48

LasVegas-Henderson-Paradise, NV

100.8

49

Chicago-Naperville-Elgin, IL-IN-WI

100.4

50

Killeen-Temple, TX

99.4

51

Auburn-Opelika, AL

98.4

52

NewYork-Newark-JerseyCity, NY-NJ-PA

97.7

53

SanJose-Sunnyvale-SantaClara, CA

96.4

54

Reno, NV

96.1

55

Philadelphia-Camden-Wilmington, PA-NJ-DE-MD

95.5

56

Chico, CA

95.5

57

Napa, CA

94.5

58

Pueblo, CO

94.3

59

Baltimore-Columbia-Towson, MD

93.4

60

SanDiego-Carlsbad, CA

93.4

61

Milwaukee-Waukesha-WestAllis, WI

92.8

62

Madera, CA

92.8

63

RockyMount, NC

92.5

64

Laredo, TX

92.3

65

Beaumont-PortArthur, TX

92

66

Denver-Aurora-Lakewood, CO

92

67

Cleveland-Elyria, OH

91.7

68

SantaCruz-Watsonville, CA

89.6

69

Brownsville-Harlingen, TX

89.4

70

Goldsboro, NC

88.9

71

Mobile, AL

88.6

72

Merced, CA

88.4

73

SantaMaria-SantaBarbara, CA

88.2

74

AnnArbor, MI

88.2

75

Tucson, AZ

87.9

76

Augusta-RichmondCounty, GA-SC

87.8

77

AtlanticCity-Hammonton, NJ

87.4

78

Redding, CA

86.9

79

Greenville-Anderson-Mauldin, SC

86.6

80

Athens-ClarkeCounty, GA

86.2

81

McAllen-Edinburg-Mission, TX

85.6

82

CorpusChristi, TX

85.5

83

BatonRouge, LA

85.4

84

SierraVista-Douglas, AZ

85.3

85

Austin-RoundRock, TX

85.2

86

Florence, SC

85.1

87

Albuquerque, NM

85

88

Boulder, CO

84.9

89

Pensacola-FerryPass-Brent, FL

84.9

90

ColoradoSprings, CO

84

91

California-LexingtonPark, MD

83.7

92

Dalton, GA

83.7

93

Hattiesburg, MS

83.3

94

SanAntonio-NewBraunfels, TX

83.2

95

WarnerRobins, GA

83

96

Oxnard-ThousandOaks-Ventura, CA

82.8

97

Trenton, NJ

82.7

98

Houma-Thibodaux, LA

82.6

99

Dover, DE

82.6

100

St.Louis, MO-IL

82.1

Alabama Identity Theft: 2012 compared to 2013

Forgive me, dear reader, for focusing on my own state just this once . . .

In 2012, Alabama's top cities for Identity Theft, and their Per Capita complaints received, were:

The Columbus, Georgia/Alabama Metro area rose 13 places in the national rank to be the second worst city in America for Identity Theft.
Montgomery, Alabama had a very slight rise in rank (from #16 to #15), although the number of complaints per capita fell, it is still one of the worst
cities in America for Identity Theft.
Mobile, Alabama rose in rank by 29 places, moving from #100 to #71.

All other cities in Alabama FELL in their national rank for Identity Theft -- but one must ask, as above, is that because crime is declining? or is apathy increasing?
Have we become so desensitized to Identity Theft that we no longer feel the need to complain?

You STILL want to call your local Police to let them know about the crimes against you. If someone stole YOUR identity or scammed you, they are likely targeting others as well! Besides your local law enforcement, it would be helpful if you could take the time to share what happened to you with the FBI Internet Crime & Complaint Center (ic3.gov). This unique center in West Virginia gathers hundreds of thousands of cybercrime complaints per year into a database that can be accessed by law enforcement across the country. Perhaps you will only be another drop in the bucket, but you MAY provide the missing link that ties many smaller losses together into a major investigation!

For PHISHING EMAILS, be sure to report that phish to Malcovery's PhishIQ system! By sending us the address of that suspicious or fake bank website, our automated systems will preserve forensic evidence about the phishing website and work on linking it to other websites that may have been created by the same criminal!

Monday, February 24, 2014

On February 19, 2014, Facebook Announced the purchase of WhatsApp for $4 billion in cash and 183,865,778 shares of Facebook stock ($12 Billion in current value) plus an additional $3 billion in shares to the founders that will vest over four years, for a total purchase price of $19 Billion. Within 24 hours, spammers were using WhatsApp lures to attract traffic to counterfeit pharmaceutical websites! Journalists in the United States were scurrying trying to figure out what WhatsApp even is, let alone why it should be worth $19 Billion.

Apparently WhatsApp has been growing in popularity in other parts of the world, as documented by a survey released in November by OnDevice Research which was headlined as Messenger Wars: How Facebook lost its lead which talked about the top Social Message Apps for mobile devices in five major markets: US, Brazil, South Africa, Indonesia, and China. While Facebook still lead in the US, and WeChat clearly dominates China, WhatsApp was the leading app in Brazil 72%, South Africa (68%), and Indonesia (43%).

But those of us who keep track of spam and email-based threats have been hearing about WhatsUp for several months. As the popularity of WhatsApp grows due to the new acquisition, we believe we will see it become an even more popular spam lure. At least three distinct spamming groups have already used WhatsApp as a lure for their scams.

According to Malcovery Security's Brendan Griffin, WhatsApp was being used as a malware lure since at least September 19, 2013. I asked Brendan to give me a list of days when a WhatsApp spam/malware campaign made Malcovery's "Today's Top Threats" list. This campaign has been solidly in the top ten on:

As Steve Ragan mentioned in his ComputerWorld article on November 8, 2013, WhatsApp was one of our Top Five Imitated Brands for the delivery of malware via spam for the quarter. (See ComputerWorld - Senior executives blamed for a majority of undisclosed security incidents.)
Curiously, when I asked Brendan about the email I saw THIS WEEK imitating WhatsApp he said that was an example of spammers using the WhatsApp notoriety to drive traffic to counterfeit pharmaceutical websites!

WhatsApp spam used by ASProx Botnet to Deliver Kuluoz Malware

We've seen tremendous variety in both the malware being delivered and in the method of delivery over the course of so many spam runs. The first day we made note of the WhatsApp malware, September 19, 2013, we observed 52 different websites being advertised in the emails. Each of these websites had a file called "info.php" that was being called with a very long unique "message" parameter, such as:

/info.php?message=47lvQ31P1Nip+SkTsbYeAVNH+2aJDFeJ9djfprCHGa4=

(a couple digits have been tweaked for privacy)

Websites used for malware delivery,September 19, 2013

aki-kowalstwo.pl

koshergiftsuk.com

samedaystationery.co.uk

amicidelcuore.info

lichtenauer-fv.de

schweitzers.com

arsenalyar.ru

locweld.com

sentabilisim.com

art52.ru

mbuhgalter.ru

sewretro.com

bhaktapurtravel.com.np

mdou321.ru

spentec.ca

bluereefwatersports.com

mikemetcalfe.ca

structuredsettlementsannuities.com

cateringjaipur.com

mirvshkatulke.ru

thaiecom.net

clockcards.ie

mrsergio.com

tiarahlds.com

dj220w.ru

muzikosfabrikas.lt

tk-galaktika.ru

djvakcina.com

mywebby.ru

towi69.de

easywebmexico.com

orbitmotion.com

trivenidigital.com

etarlo.ru

orderschering.com

veerbootkobus.nl

everyday24h.de

paternocalabro.it

venetamalaysia.com

globalpeat.com

paulhughestransport.com

verfassungsschutz-bw.de

gourmetschlitten.com

pax-sancta.de

vitapool.ru

idollighting.com

pennerimperium.de

zdrowieonly.ovh.org

juhatanninen.com

planeta-avtomat.ru

kasutin.ru

rkbtservice.ru

Visiting the link from any of of those websites resulted in code on the server resolving your IP address and creating a customer malware name based on your geographic location. For example, when we visited from Birmingham, Alabama IP addresses, we received a file called "VoiceMail_Birmingham_(205)4581400.zip" - 205 is the Area code for Birmingham, Alabama, so both the city name and the telephone number provided were intended to enhance the believability that this was a "real" VoiceMail message that we should open and listen to!

At the time we received this file, VirusTotal was showing a 7 of 48 detection rate. (When the file was last checked, December 4, 2013, the detection rate had improved to 36 of 48 AV products.)

This malware delivery mechanism, with the geographically labeled secondary malware, is a signature of the ASPROX => Kuluoz malware. Kuluoz, which is also known as DoFoil, is delivered as the second phase of a malware delivery scheme that begins by having computers that are part of the ASProx botnet sending spam. This is the same campaign that delivered Walmart/BestBuy/CostCo delivery messages around the Christmas holiday, and that delivered Courthouse, Eviction, and Energy bill spam. In the more recent VirusTotal report, AntiVir, DrWeb, and Microsoft label this sample as Kuluoz, while Agnitum, CAT-QuickHeal, Kaspersky, NANO-Antivirus, VBA32, and VIPRE call it DoFoil. Zortob is another popular label seen for this malware, and Symantec calls it "FakeAVLock" while Ikarus and Sophos calls it Weelsof. Weelsof is a Ransomware family and this label, as well as the FakeAV label, are likely due to tertiary malware. When secondary malware "drops" (a term that just means that ADDITIONAL malware is downloaded from the Internet after the initial infection) it is common for AntiVirus vendors to apply the label for the "ultimate intention" to all of the malware samples seen in that particular infection chain.

An excellent student paper by Shaked Bar from August 15, 2013, describes Kuluoz's role in dropping additional malware. This diagram is from his paper, Kuluoz: Malware and botnet analysis which was submitted as Mr. Bar's Dissertation for his Masters of Science in Computer Science.

At the time of Shaked Bar's paper, the prominent delivery mechanisms were spam messages imitating UPS and DHL. He also notes an earlier spam campaign from April 2013 imitating American Airlines. Bar's paper is well worth reading as he explains how C&C traffic is XOR'ed with the byte 0x2B to test the ability of the bot to send spam as well as other potential uses. Mr. Bar documents more fully the possible tertiary malware including Zeus (Zbot), ZeroAccess, and FakeAV. The malware uses the commercial geolocation service from MaxMind to identify its location, and the location may be instrumental in determining what additional malware should be installed.

Malcovery Security analysts also called attention in our September 19, 2013 report that the WhatsApp spam, when visited from an Android device, detected the OS and dropped a file called "WhatsApp.apk". .apk files are Android's "application package file" which is used to distribute and install Android apps. Examination of the .APK file confirmed thta this was Fake antivirus for your Android phone, containing descriptions of each supposedly detected malware in both English and Russian, as exhibited by this snip from the .APK file:

The URLs used to drop the infection shifted constantly. For example, these are the URLs from September 24th, each using "app.php" instead of "info.php":

More recently, the WhatsApp malware has been used by an entirely different spam sending malware team. This group, which favors the Cutwail spam botnet, uses spam messages to deliver a malware family known as UPATRE. UPATRE is a tiny malware file that is repacked constantly to ensure deliverability and that has little malicious behavior itself. The only function of UPATRE is to drop additional malware. In this case, the malware is attached as a .zip file that, when executed by the recipient in order to "play their missed message" will cause Zeus to be downloaded as the secondary malware.

Here is what the Cutwail-delivered version of the WhatsApp spam looked like on January 28, 2014:

This version of Upatre connects to the Internet to download an encoded version of GameOver Zeus to allow safe passage through any blocking and detecting methods. This model of downloading an undetectable version that is then decoded into a fully functional Zeus malware by the Upatre module was documented in this blog in our story GameOver Zeus now uses Encryption to bypass Perimeter Security.
In the case of the January 28th WhatsApp malware, the Zeus .enc file came from either:

WhatsApp Spam Delivering Canadian Health & Care Mall links?

As WhatsApp reaches the pinnacle of awareness among American spam recipients, it is only natural that the Pharmaceutical spammers would get in on the game.
On February 20, 2014, the spammers sent out "Missed Voice Message" spam with a huge number of random URLs belonging to compromised webservers. Each of the compromised webservers, usually the spammer has harvested Userids and passwords for their FTP credentials in previous malware runs, has a newly created .php or .pl file that contains an encoded redirector to a pharmaceutical website.

On February 20th, the advertised spam all redirected to one of more than fifty compromised webservers, each of which then redirected to a Canada Health & Care Mall websites. The advertised URLs have a simple Javascript obfuscation to try to hide the true destination, such as this page:

When interpreted as Javascript, the "setTimeout" portion says "make the "window.top.location.href" equal to "gjhqv1".
The top portion says "set gjhqv1" equal to thedietpharmacy.com, and do it in "0" milliseconds.

Reviewing 50 URLs of this type, with names such as "reactivates.php" or "bombarding.pl" or "gaelicizes.php", there were only the four redirections:
canadavasomax.com
lossdietpharmacy.com
thedietpharmacy.com
wellnessasaletraining.com

Monday, February 17, 2014

Last week Malcovery Security had an interesting phish show up claiming to be related to the IRS. This one turns out to be a great example of the (activate 1940 horror movie narrator voice) The POWER OF CROSS BRAND INTELLIGENCE (/activate). Here's what the website looked like:

Phish from: bursafotograf.com / profiles / interac / RP.do.htm

In this phish, the "big idea" is that you can escalate your IRS Tax Refund if you specify which bank you would like the refund to be deposited into. When you click the bank's logo, you are taken to a phishing site for that brand and asked to provide your Userid and Password, which are then emailed to the phisher. Here's an example of the page you would see if you clicked on the Regions Bank logo (graphic courtesy of PhishTank submission 2254700.)

Things get quite fascinating though when we hide the graphics:

Why would an IRS phish have ALT TEXT including for four of the largest Canadian banks? By looking at the source code for the phishing page, we see that this is a very lightly rebranded Interac phish:
First, the website Title is "INTERAC e-Transfer" ...

INTERAC is a very interesting money transfer system used in Canada that allows anyone to send money to anyone else simply by using either their email address or cell phone text messaging service. A Transaction code is texted/emailed from the payer to the recipient, allowing the recipient to login to the Interac service and choose what account, and what bank, they would like to receive the funds into.

The phish has some Javascript at the top that includes variables like "var provinceList = new Array ("Alberta", "British Columbia", "New Brunswick", "Newfoundland and Labrador", "Nova Scotia", "Ontario", "Prince Edward Island", "Saskatchewan");" and a pull down menu with options "Select Institution", "Select Province or Territory" and "Select Credit Union."

As we continue into the table of graphics, we see that the phisher has changed his graphics and links to refer to the American banks, with code such as:

Phishing Cross-Brand Intelligence

It seems fairly clear that we should be able to find more phishing sites that used the original Interac code, and of course we can in the Malcovery PhishIQ system.

Here is a phish that was seen on June 21, 2013 on the website freevalwritings.com / wp / interacsessions / RP.do.htm

And another first seen on May 28, 2013 on the website anglaisacote.com / interac / RP.do.htm (note the common path on both of these that matches the current IRS phish = "interac/RP.do.htm" RP.do.htm is used on the REAL Interac website.

Phishing & Spam Cross-Brand Intelligence

An interesting thing about phishing emails that differentiates them from standard spam. While normal spam is often sent via botnets, phishing emails tend to be sent from the same IP address over a period of time. When we use Malcovery PhishIQ to examine the IRS version of the Interac phish, which attempts to steal money from Bank of America, Chase Bank, Navy Federal Credit Union, SunTrust, Regions Bank, Wells Fargo, USAA, and Citi, we see that the originally advertised URL was actually "130.13.122.25 / irsjspmessageKey-IG09210358i /". That URL forwarded visitors to the website "ernursusleme.com / Connections / irsonlinedeposit /" which then forwarded the visitors to "bursafotograf.com / profiles / interac / RP.do.htm" which is where the screenshot at the top of this article was captured.

So, to find spam messages related to this phish, it seems reasonable to search the Malcovery Spam Data Mine for emails that advertised URLs on 130.13.122.25.

We found two sets of spam messages that advertised URLs on that host in our spam collection. One batch from January 8, 2014 and the other batch from January 28th and January 29th, 2014.

The January 28th and January 29th emails claimed to be from "From: USAA (USAA.Web.Services@customer.usaa.com)" with an email subject of "New Insurance Document Online".

Two of the emails were sent from 122.3.92.116 (Philippines) and one email was sent from 70.166.118.54 (Cox). What other emails were sent from those IP addresses?

Here are the emails from 122.3.92.116

Date:

Subject:

From Name

From Email

Dec 13, 2013

Your account has been limited until we hear from you

service@ intl.paypal.com

survey.research-3086@ satisfactionsurvey.com

Dec 13, 2013

Your account has been limited until we hear from you

service@ intl.paypal.com

survey.research-3086@ satisfactionsurvey.com

Dec 14, 2013

Your account has been limited until we hear from you

service@ intl.paypal.com

survey.research-3086@ satisfactionsurvey.com

Dec 16, 2013

Confirmation - personal information update

USAA

USAA.Web.Services@ customermail.usaa.com

Dec 18, 2013

INTERAC e-Transfer Received

notify@ payments.interac.ca

notify@ payments.interac.ca

Dec 18, 2013

INTERAC e-Transfer Received

notify@ payments.interac.ca

notify@ payments.interac.ca

Dec 18, 2013

INTERAC e-Transfer Received

notify@ payments.interac.ca

notify@ payments.interac.ca

Dec 23, 2013

INTERAC e-Transfer Received

notify@ payments.interac.ca

notify@ payments.interac.ca

Dec 30, 2013

INTERAC e-Transfer Received

notify@ payments.interac.ca

notify@ payments.interac.ca

Dec 31, 2013

INTERAC e-Transfer Received

notify@ payments.interac.ca

notify@ payments.interac.ca

Dec 31, 2013

INTERAC e-Transfer Received

notify@ payments.interac.ca

notify@ payments.interac.ca

Dec 31, 2013

INTERAC e-Transfer Received

notify@ payments.interac.ca

notify@ payments.interac.ca

Jan 5, 2014

Notification of Limited Account Access

PayPal

PayPal@ abuse.epayments.com

Jan 7, 2014

Canada Tax send you an INTERAC e-Transfer

notify@ payments.interac.ca

notify@ payments.interac.ca

Jan 7, 2014

Canada Tax send you an INTERAC e-Transfer

notify@ payments.interac.ca

notify@ payments.interac.ca

Jan 7, 2014

Canada Tax send you an INTERAC e-Transfer

notify@ payments.interac.ca

notify@ payments.interac.ca

Jan 8, 2014

View Your USAA Document Online

USAA

USAA.Web.Services@ customermail.usaa.com

Jan 8, 2014

View Your USAA Document Online

USAA

USAA.Web.Services@ customermail.usaa.com

Jan 8, 2014

View Your USAA Document Online

USAA

USAA.Web.Services@ customermail.usaa.com

Jan 8, 2014

View Your USAA Document Online

USAA

USAA.Web.Services@ customermail.usaa.com

Jan 8, 2014

View Your USAA Document Online

USAA

USAA.Web.Services@ customermail.usaa.com

Jan 8, 2014

View Your USAA Document Online

USAA

USAA.Web.Services@ customermail.usaa.com

Jan 8, 2014

View Your USAA Document Online

USAA

USAA.Web.Services@ customermail.usaa.com

Jan 17, 2014

Canada Tax send you an INTERAC e-Transfer

notify@ payments.interac.ca

notify@ payments.interac.ca

Jan 17, 2014

Canada Tax send you an INTERAC e-Transfer

notify@ payments.interac.ca

notify@ payments.interac.ca

Jan 17, 2014

Canada Tax send you an INTERAC e-Transfer

notify@ payments.interac.ca

notify@ payments.interac.ca

Jan 17, 2014

Canada Tax send you an INTERAC e-Transfer

notify@ payments.interac.ca

notify@ payments.interac.ca

Jan 17, 2014

Canada Tax send you an INTERAC e-Transfer

notify@ payments.interac.ca

notify@ payments.interac.ca

Jan 17, 2014

Canada Tax send you an INTERAC e-Transfer

notify@ payments.interac.ca

notify@ payments.interac.ca

Jan 17, 2014

Canada Tax send you an INTERAC e-Transfer

notify@ payments.interac.ca

notify@ payments.interac.ca

Jan 17, 2014

Canada Tax send you an INTERAC e-Transfer

notify@ payments.interac.ca

notify@ payments.interac.ca

Jan 17, 2014

Canada Tax send you an INTERAC e-Transfer

notify@ payments.interac.ca

notify@ payments.interac.ca

Jan 19, 2014

Your dispute has been ended 01/20/2014: Get your money back

PayPal

paypal.feedback@ email.com

Jan 19, 2014

Your dispute has been ended 01/20/2014: Get your money back

PayPal

paypal.feedback@ email.com

Jan 20, 2014

View and Sign Your USAA Insurance Policy

USAA

USAA.Web.Services@ customermail.usaa.com

Jan 20, 2014

View and Sign Your USAA Insurance Policy

USAA

USAA.Web.Services@ customermail.usaa.com

Jan 20, 2014

View and Sign Your USAA Insurance Policy

USAA

USAA.Web.Services@ customermail.usaa.com

Jan 20, 2014

View and Sign Your USAA Insurance Policy

USAA

USAA.Web.Services@ customermail.usaa.com

Jan 20, 2014

View and Sign Your USAA Insurance Policy

USAA

USAA.Web.Services@ customermail.usaa.com

Jan 21, 2014

View and Sign Your USAA Insurance Policy

USAA

USAA.Web.Services@ customermail.usaa.com

Jan 21, 2014

View and Sign Your USAA Insurance Policy

USAA

USAA.Web.Services@ customermail.usaa.com

Jan 21, 2014

View and Sign Your USAA Insurance Policy

USAA

USAA.Web.Services@ customermail.usaa.com

Jan 21, 2014

View and Sign Your USAA Insurance Policy

USAA

USAA.Web.Services@ customermail.usaa.com

Jan 21, 2014

Your dispute has been ended 01/20/2014: Get your money back

PayPal

paypal.feedback@ email.com

Jan 28, 2014

New Insurance Document Online

USAA

USAA.Web.Services@ customermail.usaa.com

Jan 28, 2014

New Insurance Document Online

USAA

USAA.Web.Services@ customermail.usaa.com

Feb 8, 2014

Canada Revenue send you an INTERAC e-Transfer

TD Canada Trust

notify@ payments.interac.ca

And here are the emails from 70.166.118.54

Date:

Subject:

From Name

From Email

Jan 29, 2014

New Insurance Document Online

USAA

USAA.Web.Services@customermail.usaa.com

Feb 3, 2014

INTERAC e-Transfer Received

notify@ payments.interac.ca

notify@ payments.interac.ca

Feb 3, 2014

INTERAC e-Transfer Received

notify@ payments.interac.ca

notify@ payments.interac.ca

Feb 3, 2014

INTERAC e-Transfer Received

notify@ payments.interac.ca

notify@ payments.interac.ca

Feb 3, 2014

INTERAC e-Transfer Received

notify@ payments.interac.ca

notify@ payments.interac.ca

Feb 3, 2014

INTERAC e-Transfer Received

notify@ payments.interac.ca

notify@ payments.interac.ca

Feb 3, 2014

INTERAC e-Transfer Received

notify@ payments.interac.ca

notify@ payments.interac.ca

Feb 4, 2014

INTERAC e-Transfer Received

notify@ payments.interac.ca

notify@ payments.interac.ca

Feb 4, 2014

INTERAC e-Transfer Received

notify@ payments.interac.ca

notify@ payments.interac.ca

Feb 8, 2014

Canada Revenue send you an INTERAC e-Transfer

RBC Royal Bank

notify@ payments.interac.ca

Feb 9, 2014

Canada Revenue send you an INTERAC e-Transfer

RBC Royal Bank

notify@ payments.interac.ca

Feb 11, 2014

Wells Fargo ATM/Debit Card Expires Soon

Wells Fargo Online

alerts@ notify.wellsfargo.com

Feb 11, 2014

Wells Fargo ATM/Debit Card Expires Soon

Wells Fargo Online

alerts@ notify.wellsfargo.com

The Power of Cross-Brand Intelligence

To summarize, we started with a new IRS phish, and through some comparisons in the Phishing and Spam Data Mines, ended with phish for USAA, PayPal, Wells Fargo, and Interac all being linked together. Investigators interested in learning more are encouraged to reach out!

Saturday, February 08, 2014

Since 2006, my lab at UAB, part of The Center for Information Assurance and Joint Forensics Research has been gathering spam and finding creative ways to analyze it to find new threats. Last December we licensed that technology to form Malcovery Security who have picked up the reins on the work of finding and reporting on new malicious threats in spam. Between the groups, we've evaluated nearly a billion spam messages, so when one of my analysts says they are seeing something "new" I pretty much listen to them.

This week they said "spam-delivered Malware is going through the roof!" I was traveling when I got that first report but was able to spend some time in the lab with the analysts yesterday, and they weren't kidding!

The new volume levels started on Wednesday, February 5th, with a campaign imitating Bank of America. On February 6th it changed to Visa/Mastercard, and on February 7th it was imitating FedEx. When we say it was extremely high volume, we mean it!

Date

Messages reviewed

Count

Email Subject

Feb 5

1,066,187

171,186

Bank of America Alert: Online Banking Security Measures

Feb 6

1,176,667

303,646

ATTN: Important notification for a Visa / MasterCard holder!

Feb 7

1,113,739

267,445

Some important information is missing

Those numbers indicate that for the last three days this single malware distributor was accounting for 16%, 25.8%, and 24% of all the spam we reviewed! How does that compare to normal? The previous day, February 4th, we considered the "Photos" malware campaign to be heavily spammed when it reached 5% of total spam volume for the day.

Historically, we've only seen one day, either at UAB or at Malcovery, that had a higher percentage of malware-laden spam. April 17, 2013, the day following the Boston Marathon Bombing, broke all the records for heaviest spam campaign that was distributing malware as we wrote about in Boston Marathon Explosion Spam Leads to Malware. Cisco's 2014 Annual Security Report calls attention to that spam campaign as well, saying that it accounted for 40% of all the spam messages delivered worldwide that day. Their report included this caution of "Breaking News" emails ...

Because breaking news spam is so immediate, email users are more likely to believe the spam
messages are legitimate. Spammers prey on people’s desire for more information in the wake
of a major event. When spammers give online users what they want, it’s much easier to trick
them into a desired action, such as clicking an infected link. It’s also much easier to prevent
them from suspecting that something is wrong with the message.

Here are some more details about the spam messages that were seen in the past three days:

Computers opening this attachment would try to contact the URLs listed here. The "404.php" is an exploit kit that results in the ".exe" files being dropped: (http is changed to hYYp and spaces added to URLs for your protection)

The IP addresses that would be most critical to block to protect your network would be these. Most of these addresses are on a Cloud hosting service in Russia, "clodo.ru", some on the ASN - St. Petersburg, Russia (clodo.ru) - AS48172 OVERSUN and others on AS56534 PIRIX-INET-AS PIRIX, ltd.

The .exe that gets dropped is ZeuS, though current detection would make that a bit hard to tell. The main file being dropped this morning has the MD5 hash = b32e5922c82208b5fdf6d60503d458f9. Here is the VirusTotal report for that URL as of this timestamp, which is showing greatly improved detection over my original run. ESET, Kaspersky, and Microsoft are all agreeing this is Zeus, while 9 other vendors list some form of "Generic" as the detection name.

Spamming Computers analysis

How often were the same computers used to send these campaigns? We first created three lists of IP addresses used to deliver the spam on each day. I called them ss5ip, ss6ip, and ss7ip for the three days. ss5ip was a list of the 47,380 IP addresses we saw deliver the Bank of America spam on February 5. ss6ip was a list of the 58,532 IP addresses we saw deliver the Visa/MasterCard spam on February 6. ss7ip was a list of the 51,883 IP addresses we saw deliver the FedEx spam on February 7.

Those 107,987 IP addresses sent Malcovery's spam accounts an average of 6.8 emails each and a median of 4 emails each. The two top spamming IP addresses were 86.64.142.28 (France, 158 messages) and 200.123.8.123 (Peru, 142 messages).

I geo-coded those IP addresses that sent more than 10 emails to us, which was a total of 21,955 IP addresses from 141 countries. A very unusual number of IP addresses, more than 45%, are from Spanish-speaking countries, . At some point this botnet probably enlarged itself on Spanish-language spam- or website-based malware

Sunday, February 02, 2014

The criminals behind the malware delivery system for GameOver Zeus have a new trick. Encrypting their EXE file so that as it passes through your firewall, webfilters, network intrusion detection systems and any other defenses you may have in place, it is doing so as a non-executable ".ENC" file. If you are in charge of network security for your Enterprise, you may want to check your logs to see how many .ENC files have been downloaded recently.

Malcovery Security's malware analyst Brendan Griffin let me know about this new behavior on January 27, 2014, and has seen it consistently since that time.

On February 1st, I reviewed the reports that Malcovery's team produced and decided that this was a trend we needed to share more broadly than just to the subscribers of our "Today's Top Threat" reports. Subscribers would have been alerted to each of these campaigns, often within minutes of the beginning of the campaign. We sent copies of all the malware below to dozens of security researchers and to law enforcement. We also made sure that we had uploaded all of these files to VirusTotal which is a great way to let "the industry" know about new malware.

To review the process, Cutwail is a spamming botnet that since early fall 2013 has been primarily distributing UPATRE malware via Social Engineering. The spam message is designed to convince the recipient that it would be appropriate for them to open the attached .zip file. These .zip files contain a small .exe file whose primary job is to go out to the Internet and download larger more sophisticated malware that would never pass through spam filters without causing alarm, but because of the way our perimeter security works, are often allowed to be downloaded by a logged in user from their workstation.

As our industry became better at detecting these downloads, the criminals have had a slightly more difficult time infecting people. With the change last week, the new detection rate for the Zeus downloads has consistently been ZERO of FIFTY at VirusTotal. (For example, here is the "Ring Central" .enc file from Friday on VirusTotal -- al3101.enc. Note the timestamp. That was a rescan MORE THAN TWENTY-FOUR HOURS AFTER INITIAL DISTRIBUTION, and it still says 0 of 50. Why? Well, because technically, it isn't malware. It doesn't actually execute! All Windows EXE files start with the bytes "MZ". These files start with "ZZP". They aren't executable, so how could they be malware? Except they are.

In the new delivery model, the .zip file attached to the email has a NEW version of UPATRE that first downloads the .enc file from the Internet and then DECRYPTS the file, placing it in a new location with a new filename, and then causing it both to execute and to be scheduled to execute in the future.

I am grateful to William MacArthur of GoDaddy, Brett Stone-Gross of Dell Secure Works, and Boldizsár Bencsáth from CrySys Lab in Hungary who were three researchers who jumped in to help look at this with us. Hopefully others will share insights as well, so this will be an on-going conversation. (UPDATE: Boldizsár has published details of how the encoding works -- the file is first compressed and then XOR'ed with a 32-bit key). Upatre reverses the process to create the .exe file)

UPATRE campaigns that use Encryption to Bypass Security

Here are the campaigns we saw this week, with the hashes and sizes for the .zip, the UPATRE .exe, the .enc file, and the decrypted GameOver Zeus .exe file that came from that file. For each campaign, you will see some information about the spam message, including the .zip file that was attached and its size and hash, and the .exe file that was unpacked from that .zip file. Then you will see a screenshot of the email message, followed by the URL that the Encrypted GameOver Zeus file was downloaded from, and some statistics about the file AFTER it was decrypted.

ALL OF THESE SPAM CAMPAIGNS ARE RELATED TO EACH OTHER! They are all being distributed by the criminals behind the Cutwail malware delivery infrastructure. It is likely that many different criminals are paying to use this infrastructure.